GSMA Mobile Connect
GSMA Mobile Connect is an application of OpenID Connect that facilitates the use of mobile phones as authentication devices independent of the service provided, and independent of the device used to consume the service.
Mobile Connect thus offers a standard way for Mobile Network Operators to act as general-purpose identity providers, providing a range of levels of assurance and profile data to Mobile Connect-compliant Service Providers.
In a Mobile Connect deployment, AM can play the following roles:
-
The OpenID provider role, implementing the Mobile Connect Profile as part of the Service Provider (Identity Gateway interface).
As OpenID provider, AM responds to a successful authorization request with a response containing all the required fields, and also the optional
expires_in
field. AM supports the mandatory ID Token properties, though the relying party is expected to use theexpires_in
value, rather than specifyingmax_age
as a request parameter.In addition to the standard user information returned with
userinfo
, AM as OpenID provider for Mobile Connect returns theupdated_at
property, representing the time last updated as seconds since the epoch. -
The Authenticator role, implementing the Mobile Connect Profile as part of the Identity Gateway (Authenticators interface).
In the Authenticator role, AM ensures that users authenticate at the appropriate Level of Assurance (LoA). A Service Provider can request LoAs without regard to the implementation, and the Identity Gateway includes a claim in the ID Token that indicates the LoA achieved.
LoA support
In AM, LoAs map to an authentication mechanism. Service providers, acting as relying parties, request an LoA by using the
acr_values
field in an authentication request.AM returns the corresponding
acr
claim in the ID token.LoA support:
-
1
(low - little or no confidence) -
2
(medium - some confidence, as in single-factor authentication) -
3
(high - high confidence, as in multi-factor authentication)
LoA support does not include support for
4
, which involves digital signatures. Therefore, thedtbs
authorization parameter is not supported when requesting tokens to the authorization endpoint. -
Perform the steps in this procedure to set up the OAuth2 provider service:
Configure AM for Mobile Connect
-
Configure an OAuth2 provider service in the realm.
Mobile Connect is an extension of OpenID Connect. Therefore, review the additional configuration options shown in OpenID provider configuration.
-
Go to Realms > Realm Name > Services > OAuth2 Provider.
-
Configure OpenID Connect authentication context settings for AM to return
acr
andamr
claims in the ID tokens.For information and examples, see Add authentication requirements to ID tokens.
-
Go to Realms > Realm Name > Identity Stores > Identity Store Name > User Configuration.
The user info endpoint returns
updated_at
values in the ID Token. If the user profile has never been updatedupdated_at
reflects creation time.When using DS as an identity store, the value is read from the
modifyTimestamp
attribute, or thecreateTimestamp
attribute for a profile that has never been modified. -
Add the relevant attributes to the LDAP User Attributes list, and save your changes.
You can now use OpenID Connect with Mobile Connect. As per the specification, you must use the Authorization Code flow to request ID tokens.
Supported authorization parameters
Request Parameter Support Description response_type
Supported
OAuth 2.0 grant type to use. Set this to
code
for the authorization grant.client_id
Supported
Set this to the client identifier.
scope
Supported
Space delimited OAuth 2.0 scope values.
Required:
openid
Optional:
profile
,email
,address
,phone
,offline_access
redirect_uri
Supported
OAuth 2.0 URI where the authorization request callback should go. Must match the
redirect_uri
in the client profile that you registered with AM.state
Supported
Value to maintain state between the request and the callback. Required for Mobile Connect.
nonce
Supported
String value to associate the client session with the ID Token. Optional in OIDC, but required for Mobile Connect.
display
Supported
String value to specify the user interface display.
login_hint
Supported
String value that can be set to the ID the user uses to log in. For example,
Bob
orbob@example.com
, depending on how the authentication node or module is configured to search for users.When provided as part of the OIDC Authentication Request, the
login_hint
is set as the value of a cookie namedoidcLoginHint
, which is an HttpOnly cookie (only sent over HTTPS).acr_values
Supported
Authentication Context class Reference values used to communicate acceptable LoAs that users must satisfy when authenticating to the OpenID provider.
For more information, see The authentication context class reference (acr) claim.
dtbs
Not supported
Data to be signed
At present AM does not support LoA 4.
For access to a simple, non-secure GSMA Mobile Connect relying party sample, see How do I access and build the sample code provided for AM/OpenAM (All versions)? in the ForgeRock Knowledge Base.